3 User Guide
Table of Contents
1 About this product..........................................................................................................7
1.1 Features and benefits.........................................................................................................................7
1.2 Compatibility....................................................................................................................................8
1.3 Performance.......................................................................................................................................8
1.4 Support..............................................................................................................................................8
Table of Contents
Downloaded from www.Manualslib.com manuals search engine
C Question modules........................................................................................................33
D Sample weight files......................................................................................................63
D.1 all.weight........................................................................................................................................63
D.2 CIS.weight......................................................................................................................................64
Table of Contents
List of Figures
3-1
3-2
3-3
3-4
A-1
5
Downloaded from www.Manualslib.com manuals search engine
List of Tables
3-1
A-1
A-2
A-3
A-4
Question modules.........................................................................................................................12
Security levels................................................................................................................................27
Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings..................................28
Additional Sec20MngDMZ security settings................................................................................29
Additional Sec30DMZ security settings........................................................................................29
List of Tables
Returns the security configuration to the state before HP-UX Bastille was run with the revert
-r feature.
Provides a safety net in case of unexpected incompatible changes when hardening
running systems
1.2 Compatibility
There are no differences between the Intel Itanium-based and PA-RISC implementation. Some
products depend on services, system settings, or network ports that HP-UX Bastille secures. In
cases where products depend on out-of-the-box settings that HP-UX Bastille might change,
dependencies are documented.
HP-UX Bastille is available for the following operating systems:
HP-UX 11i v1 (11.11)
HP-UX 11i v2 (11.23)
HP-UX 11i v3 (11.31)
NOTE:
HP-UX Bastille for 11i v1 is still supported, but no longer being developed.
For more information about HP-UX Bastille compatibility with Serviceguard, see Appendix B
(page 31) and the Serviceguard documentation available at http://docs.hp.com/en/netsys.html.
1.3 Performance
Although HP-UX Bastille does not directly affect performance, IPFilter settings such as host-based
firewall can cause a slight decrease in network performance. Install Time Security (ITS) does not
affect performance, but if the DMZ or MngDMZ security levels are used, network performance
might slow IPFilter packet filtering.
1.4 Support
For customers with an HP-UX support agreement, technical support is available through the HP
World Wide Response Centers at www.hp.com/support. Support is also offered through the IT
Resource Center at www.itrc.hp.com.
For the HP-UX discussion forum, from the ITRC home page click ForumsHP-UXSecurity.
Or, the direct link is ITRC Forums Security.
If you find a security vulnerability associated with HP-UX Bastille, report it at:
http://welcome.hp.com/country/us/en/sftware_security.html.
HP-UX Bastille makes changes that can potentially affect the functionality of other software. If
you experience problems after applying HP-UX Bastille changes to your system, be sure your
support contact knows that you run HP-UX Bastille on your system.
2.2 Installation
HP-UX Bastille is included as recommended software on the Operating Environment media and
can be installed and run with Ignite-UX or Update-UX. HP-UX Bastille is installed by default,
and a manual installation is only necessary to obtain the latest version from the web.
To download the latest version of HP-UX Bastille, see the following website:
http://www.hp.com/go/bastille
Installation command:
# swinstall -s <path to depot> HPUXBastille
10
Downloaded from www.Manualslib.com manuals search engine
Assessing a system
HP-UX Bastille assesses the existing security configuration state of an HP-UX system by
testing the system against each security issue. A reporting module creates files that contain
an itemized summary of the current security status of the system configuration. Files are
produced in HTML, text, and configuration formats. The percentage of weight items secured
properly is generated. This service can be used to audit a large number machines that have
the same operating system and applications installed. Scored assessment reports can be used
to select only a subset of the security issues.
The most common use of HP-UX Bastille is on a single machine, using the GUI interface to
create and apply a customized security configuration profile in the same session. Only the
default configuration file is used. If modifications are required later, the HP-UX Bastille GUI
interface is invoked again to make changes and apply them in the same session.
If multiple machines or configuration files must be managed, the creation and application
of security configuration profiles are usually independent operations and scripted. In that
case, non-interactive command-line options may be more useful when configuring a system.
For example, with a set of similar HP-UX servers, a single initial "golden" configuration file
can be created on one machine with the GUI interface, then copied and applied to all the
other machines with the batch-mode option. Similarly, if multiple configuration files are
needed, then scripts using the -f option are frequently used.
11
4.
Answer the questions that appear on screen. The questions are categorized by function.
Check marks are used as completion indicators to track your progress through the program.
Only questions that apply to your operating system and relate to installed tools appear.
Each question explains a security issue and describes the resulting action needed to lock
down the HP-UX system. Each question also describes the high-level cost and benefit of
each decision.
Use the Explain More/Explain Less button for more or less verbose explanations. Not all
questions have both long and short answers. For a complete list of questions with detailed
information about each item, see Appendix C (page 33).
Table 3-1 Question modules
12
Question module
Description
Patches
FilePermissions
AcountSecurity
Secureinetd
MiscellaneousDaemons
Sendmail
DNS
Apache
FTP
5.
Question module
Description
HP-UX
IPFilter
After you answer all the questions, the Save/Apply button appears. If you want to proceed
to configuring the system, click the Save/Apply button to save and apply your configuration.
HP-UX Bastille applies the changes as described in Configuring a system (page 13).
NOTE: You can use the menu bar to save or load a configuration file at any time during
the process. However, your configuration file contains additional questions that might be
irrelevant to the target system unless the file is saved with the Save/Apply button. This
button is at the end of the question list and only available after all the questions are complete.
The Save/Apply mechanism always saves a copy in the default location /etc/opt/
sec_mgmt/bastille/config. To save your configuration file in the location of your
choice, use the menu bar File item.
Otherwise, specify the path to the configuration file explicity with the -f option:
# bastille -b -f file
2.
If you are continuing from an HP-UX Bastille GUI session that is creating or modifying
the configuration file (see Creating a security configuration profile (page 11)), status
messages from the configuration process appear in the GUI box.
3.
Complete the items in the TODO.txt file. This list is located in /var/opt/sec_mgmt/
bastille/TODO.txt.
NOTE:
The configuration is secure after the items in the TODO.txt file are completed.
13
/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.html
/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report.txt
/var/opt/sec_mgmt/bastille/log/Assessment/assessment-report-log.txt
Figure 3-2 Standard assessment report
For each question, the standard report lists one of the following results:
Yes
The associated HP-UX Bastille lock down is applied to the
product or service shipped with HP-UX. The status of
products or services that are not shipped with the HP-UX OE
is not always detected. HP-UX Bastille might not detect all
variations of ways to disable or enable a service or feature.
Accepted standard configurations are detected.
No
<Set to value>
Not Defined
14
The assessment report contains the following columns in addition to the columns contained in
the standard report:
Weight
The weight column indicates the item was selected in the weights file.
Score
The score column displays a 1.00 if the item was both weighted and secured properly.
15
The percentage of weight items secured properly is displayed at the end of the .txt report and
in the header row of the .html report. For example, see Figure 3-4
Sample weight files that match the default configuration files are provided in /etc/opt/
sec_mgmt/bastille/configs/defaults. This directory also includes the template file
all.weight which contains all possible HP-UX question items as selected. For sample files,
see Appendix D (page 63).
3.4 Reverting
If you want to revert the system files to the state they were in before HP-UX Bastille was run,
use the revert option:
# bastille -r
IMPORTANT: Before using the revert feature, read the revert-actions script to ensure
changes do not disrupt your system. This file appears in /var/opt/sec_mgmt/bastille/
revert/revert-actions.
If changes were made to the system after HP-UX Bastille was run, either manually or by other
programs, review those changes to verify they still work and have not broken the system or
compromised its security. Certain firewall options and reverting the system can make a system
less secure.
After running the revert option, look at the TOREVERT.txt file to ensure that the tasks needed
to finalize the revert process are complete. The file is located in /var/opt/sec_mgmt/
bastille/TOREVERT.txt.
16
IMPORTANT: When reverting to the configuration prior to the use of HP-UX Bastille, security
configuration changes are undone temporarily. Other manual configuration changes or additional
software installed after HP-UX Bastille was initially run might require a manual merge of
configuration settings.
To save a baseline:
# bastille_drift --save_baseline baseline
Run the bastille_drift utility when new software or patches are installed to check for
changes in the system. The bastille_drift utility also identifies system changes when
swverify is run using -x fix=true or the -F option for vendor-specific fix scripts.
For more information, see bastille_drift(1M).
17
The Drift file contains information about any configuration drift experienced since the last
HP-UX Bastille run. This file is only created when an earlier HP-UX Bastille configuration was
applied to the system.
/var/opt/sec_mgmt/bastille/log/Assessment/Drift.txt
18
19
Downloaded from www.Manualslib.com manuals search engine
20
Downloaded from www.Manualslib.com manuals search engine
5 Troubleshooting
5.1 Diagnostic tips
When troubleshooting issues with HP-UX, remember these tips:
To revert changes:
# bastille -r
Changes made by HP-UX Bastille can potentially to cause other software to stop working.
HP recommends making changes in a non-production environment. Fully test all production
applications after HP-UX Bastille is applied before putting the systems into production.
On HP-UX systems, do not run HP-UX Bastille during a Software Distributor operation
such as swinstall and swremove because file-lock errors might occur.
On HP-UX machines, do not run HP-UX Bastille during heavy use of the system, or when
running applications that modify the system configuration. During these times, HP-UX
Bastille might not be able to get exclusive access to some of the necessary files. If this happens,
run bastille -b when the machine is quiet to reapply the changes.
Install the latest patches on your system to ensure that it is as secure. If current patches are
not applied, your system can be compromised even though you use this program. HP-UX
uses the Security Patch Check tool to help with this process. HP-UX Bastille will help with
the installation of the Security Patch Check tool.
NOTE: Because some patches and software can return settings to default values, rerun
HP-UX Bastille to maintain system security.
21
5.3.7 HP Secure Shell locks you out of your system immediately when passwords
expire
You might need PAM patch: PHCO_24839 (HP-UX 11.11) available at the HP IT Resource Center:
https://www2.itrc.hp.com/service/patch/mainPage.do
5.3.10 Rerun HP-UX Bastille after installing new software or applying new patches
Installing new software or applying new patches might change the system state. On HP-UX, if
vendor-specific fix scripts are run with swverify using either the -x fix=true option or the
-F option, then rerun HP-UX Bastille.
22
Troubleshooting
In other locations, see the Contact HP worldwide (in English) webpage (http://
welcome.hp.com/country/us/en/wwcontact.html).
6.1 Contacting HP
Downloaded from www.Manualslib.com manuals search engine
23
The HP-UX Security Forum is offered through the HP IT Resource Center (ITRC) at:
ITRC Forums Security
Product specifications and download:
http://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=B6849AA.
For more information about HP-UX Bastille compatibility with Serviceguard, see the Serviceguard
documentation available at:
http://www.hp.com/go/hpux-serviceguard-docs.
The IPFilter-SG rules are documented in the HP-UX IPFilter Version 17 Administrator's Guide.
IPFilter documentation is available at:
http://www.hp.com/go/hpux-security-docs
audit(5)
Command
Computer output
Ctrl+x
ENVIRONMENT VARIABLE
[ERROR NAME]
Key
The name of a keyboard key. Return and Enter both refer to the
same key.
Term
User input
Variable
[]
{}
...
24
WARNING
CAUTION
IMPORTANT
NOTE
25
26
Downloaded from www.Manualslib.com manuals search engine
Description
Sec00Tools2
Not applicable
Sec10Host3
HOST.config
Sec20MngDMZ3
MANDMZ.config
Sec30DMZ3
DMZ.config
1
2
3
NOTE: When you select either the Sec20MngDMZ or Sec30DMZ security level, IPFilter restricts
inbound network connections. For more information on how to add inbound ports to your /etc/
opt/ipf.customerrules file, see the HP-UX IPFilter (Version A.03.05.09 and later)
Administrator's Guide and the HP-UX System Administrator's Guide.
Using one of these security levels applies a default security profile, simplifying the lock-down
process. The following tables list the services and protocols affected by each security level.
27
IMPORTANT: Review these tables carefully. Some locked-down services and protocols might
be used by other applications and have adverse effects on the behavior or functionality of these
applications. You can change these security settings after installing or updating your system.
Table A-2 Host-based Sec10Host, Sec20MngDMZ, and Sec30DMZ security settings
Category
Action
28
Daemons
Disable ptydaemon
Disable pwgrd
Disable rbootd
Disable NFS client daemons
Disable NFS server
Disable NIS client programs
Disable NIS server programs
Disable SNMPD
inetd services
Disable bootp
Disable inetd built-in services
Disable CDE helper services
Disable finger
Disable ident
Disable klogin and kshell
Disable ntalk
Disable login, shell, and exec services
Disable swat
Disable printer
Disable recserv
Disable tftp
Disable time
Disable uucp
Disable Event Monitoring Services (EMS) network
communication
Enable logging for all inetd connections
sendmail
Other settings
1
2
Manual action may be required to complete configuration. For more information, see /etc/opt/sec_mgmt/
bastille/TODO.txt after update or installation.
The following ndd changes are made:
ip_forward_directed_broadcasts=0
ip_forward_src_routed=0
ip_forwarding=0
ip_ire_gw_probe=0
ip_pmtu_strategy=1
ip_send_source_quench=0
tcp_conn_request_max=4096
tcp_syn_rcvd_max=1000
Action
inetd services
IPFilter configuration2
1
2
3
4
5
Action
IPFilter configuration2
1
2
3
4
5
Applies all security configuration settings in Table A-2 and Table A-3.
Additional IPFilter rules may be applied with a custom rules file located at /etc/opt/sec_mgmt/bastille/
ipf.customrules.
Settings applied only if software is installed.
HP-UX Host IDS is a selectable software bundle and only available for commercial servers.
WBEM is required for several HP management applications including HP Systems Insight Manager (SIM) and
ParMgr.
29
30
If the you have applied configuration changes to the system since the last time HP-UX
Bastille was used, apply the changes manually.
a. Remove the # from the /etc/inetd.conf file line:
#auth stream tcp6 wait bin /usr/lbin/identd identd
b.
31
32
Downloaded from www.Manualslib.com manuals search engine
C Question modules
AccountSecurity.ABORT_LOGIN_ON_MISSING_HOMEDIR
Headline
Default
Description
Actions
AccountSecurity.atuser
Headline
Default
Description
Actions
AccountSecurity.AUTH_MAXTRIES
Headline
Default
Description
Actions
AccountSecurity.block_system_accounts
Headline
Default
Description
Actions
AccountSecurity.create_securetty
Headline
Default
Description
Actions
N
HP-UX Bastille can restrict root from logging into a tty over the network. This
forces administrators to log in first as a non-root user, then su to become root.
Root logins are still permitted on the console and through services that do not
use tty's like HP-UX Secure Shell.
Create or replace the file /etc/securetty with the single entry console.
AccountSecurity.crontabs_file
Headline
Default
Description
Actions
Change ownership and permissions for all crontab files permitting access only
to root.
AccountSecurity.cronuser
Headline
Default
Description
Actions
AccountSecurity.gui_login
Headline
Default
Description
Actions
AccountSecurity.hidepasswords
Headline
Default
34
Question modules
Description
Actions
HP-UX stores the encrypted password string for each user in the /etc/passwd
file. These encrypted strings are viewable by anyone with access to the /etc/
file system, typically all users. Using the encrypted string, an attacker can find
valid passwords for your system.
Convert system to trusted mode or use shadowed passwords (dependent on
OS version).
AccountSecurity.lock_account_nopasswd
Headline
Default
Description
Actions
AccountSecurity.mesgn
Headline
Default
Description
Actions
AccountSecurity.MIN_PASSWORD_LENGTH
Headline
Default
Description
Actions
AccountSecurity.NOLOGIN
Headline
Default
Description
Actions
AccountSecurity.NUMBER_OF_LOGINS_ALLOWED
Headline
Default
Description
Actions
AccountSecurity.NUMBER_OF_LOGINS_ALLOWEDyn
Headline
Default
Description
Actions
AccountSecurity.PASSWORD_HISTORY_DEPTH
Headline
Default
Description
Actions
AccountSecurity.PASSWORD_HISTORY_DEPTHyn
Headline
Default
Description
Actions
AccountSecurity.PASSWORD_MAXDAYS
Headline
Default
Description
Actions
AccountSecurity.PASSWORD_MINDAYS
Headline
Default
Description
Actions
AccountSecurity.PASSWORD_WARNDAYS
Headline
Default
36
Set the number of days a user will be warned that their password will expire.
28
Question modules
Description
Actions
This parameter controls the default number of days before password expiration
that a user is warned that the password must be changed. For systems running
HP-UX 11.11 and HP-UX 11.0, setting this value requires conversion to trusted
mode. For HP-UX 11.22 and later, shadowed password conversion is required.
This parameter applies only to local non-root users.
Sets the parameter PASSWORD_WARNDAYS in the /etc/default/security
file.
AccountSecurity.passwordpolicies
Headline
Default
Description
Actions
AccountSecurity.restrict_home
Headline
Default
Description
Actions
AccountSecurity.root_path
Headline
Default
Description
Actions
AccountSecurity.serial_port_login
Headline
Default
Description
Actions
AccountSecurity.single_user_password
Headline
Default
Description
Actions
has physical access to the machine and enough time, there is very little you
can do to prevent unauthorized access. This may be more problematic when
an authorized administrator can't remember the password. Note: For HP-UX
11.22 and prior, this requires conversion to trusted mode. HP-UX Bastille will
automatically do the conversion if you select this option. Trusted mode is
incompatible with LDAP-UX client services prior to version 3.0 and can cause
other incompatibility issues with applications which do their own
authentication.
Sets the parameter BOOT_AUTH=1 in the /etc/default/security file. For
HP-UX 11.22 and prior, convert to trusted mode, and set ensure bootpw=YES
with modprdef.
AccountSecurity.SU_DEFAULT_PATH
Headline
Default
Description
Actions
AccountSecurity.SU_DEFAULT_PATHyn
Headline
Default
Description
Actions
AccountSecurity.system_auditing
Headline
Default
Description
Actions
AccountSecurity.umask
Headline
Default
Description
38
Question modules
Actions
configuring a umask for all of the user shells, HP-UX 11.22 and later have an
option in the /etc/default/security file to set the default system umask.
This parameter controls umask(2) of all sessions initiated with pam_unix(5)
which can then be overridden by the shell. NOTE: If your system is converted
to trusted mode, this parameter will be overridden by the trusted system
default umask, which is 077.
Set the selected umask in all known shell startup scripts.
AccountSecurity.umaskyn
Headline
Default
Description
Actions
AccountSecurity.unowned_files
Headline
Default
Description
Actions
AccountSecurity.user_dot_files
Headline
Default
Description
Actions
AccountSecurity.user_rc_files
Headline
Default
Description
Actions
Delete .shosts, .rhosts, and .netrc from the local user accounts
Y
.shosts, .rhosts, and .netrc are files that sit in the home directories of users and
are used to create trust relationships between given users on a system and
other systems. Such non-interactive trust is dangerous as it creates the potential
for an attacker to leverage those trust relationships if they manage to expose
an account. If there is no business need for static trust, delete these files.
Find all local non-root login home directories, and delete the files .shosts,
.rhosts, and .netrc if found within those directories.
39
Downloaded from www.Manualslib.com manuals search engine
Apache.chrootapache
Headline
Default
Description
Actions
Makes a copy of Apache and related binaries and libraries and places them
inside of a chroot jail.
Apache.deactivate_hpws_apache
Headline
Default
Description
Actions
DNS.chrootbind
Headline
Default
Description
40
Question modules
Make a copy of BIND and related binaries and libraries and place them inside
of a chroot jail.
FilePermissions.world_writeable
Headline
Default
Description
Actions
Scan the system for world-writeable directories. Create a script to tighten these
permissions. HP-UX Bastille does not run this script, but offers it as a starting
point for users to review and modify.
FTP.ftpbanner
Headline
Default
Description
Actions
FTP.ftpusers
Headline
Default
Description
Actions
N
The ftpusers file allows the administrator to set accounts that shall not be
allowed to log in through the ftpd. Default system users should not be allowed
access to the system through the ftpd because it sends the username and
password in clear text over the network. HP-UX Bastille disallows ftp logins
to a WU-FTPD server from the following users: root, daemon, bin, sys, adm,
uucp, lp, nuucp, hpdb, and guest. If you have a compelling reason to allow
these users ftp access, then answer no to this question. Use this as a secondary
measure if you deactivated the ftp server.
Add the following user names to the /etc/ftpd/ftpusers file: root,
daemon, bin, sys, adm, uucp, lp, nuucp, hpdb, and guest.
HP_UX.gui_banner
Headline
Default
Description
Actions
HP_UX.mail_config
Headline
Default
Description
Actions
HP_UX.ndd
Headline
Default
Description
42
Question modules
arp_cleanup_interval60000
ip_forward_directed_broadcasts0
ip_forward_src_routed0
ip_forwarding0
ip_ire_gw_probe0
ip_pmtu_strategy1
ip_respond_to_echo_broadcast0
ip_respond_to_timestamp0
ip_respond_to_timestamp_broadcast0
ip_send_redirects0
ip_send_source_quench0
tcp_conn_request_max4096
tcp_syn_rcvd_max4096
For more information on each of these parameters, run ndd -h
NOTE: If you already have some non-default, non-HP-UX Bastille settings
in effect, you must merge the settings manually. A reminder is added to your
TODO.txt file.
IMPORTANT: Manual action may be required to complete this configuration.
See the TODO.txt file for details.
Actions
HP_UX.other_tools
Headline
Default
Description
43
Downloaded from www.Manualslib.com manuals search engine
Actions
HP_UX.restrict_swacls
Headline
Default
Description
Actions
HP_UX.scan_ports
Headline
Default
Description
Actions
HP_UX.screensaver_timeout
Headline
Default
Description
Actions
HP_UX.stack_execute
Headline
44
Question modules
Default
Description
Actions
Y
A common way to gain privileged access is to provide some type of
out-of-bounds input that is not checked by a program. This input can be used
to overflow the stack in a way that leaves some cleverly written instructions
stored in a place that will be executed by the program. The HP-UX kernel is
able to disallow execution of commands from the stack. This contains many
of these types of attacks, making them ineffective. Because this is done at the
kernel level, it is independent of any application which may have a
vulnerability of this type. This will break some applications designed to execute
code off the stack, for example Java 1.2 programs using JDK/JRE 1.2.2 versions
older than 1.2.2.06. However, you can run chatr +es <executable file>
to override this for individual broken programs.
Invokes kctune -K executable_stack=0 to disable stack execution.
HP_UX.tcp_isn
Headline
Default
Description
Actions
IPFilter.block_cfservd
Headline
Default
Description
Actions
IPFilter.block_DNSquery
Headline
Default
Description
45
Downloaded from www.Manualslib.com manuals search engine
Actions
Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow DNSquery incoming connections
pass in quick proto udp from any to any port = domain keep
state"
IPFilter.block_hpidsadmin
Headline
Default
Description
Actions
Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow hpidsadmin incoming connections
pass in quick proto tcp from any to any port = hpidsadmin flags S keep state
keep frags
IPFilter.block_hpidsagent
Headline
Default
Description
46
Question modules
Actions
can result in attacks that go undetected and reports of many false alerts.
HIDS will work but your system may still be vulnerable.
Prevent the onset of attacks. If your system is vulnerable to attacks, those
vulnerabilities will remain even after HIDS is installed.
Find static security flaws on a system. For example, if the password file
contained an illegitimate account before HIDS was installed, that
illegitimate account remains a vulnerability even after HIDS is installed
and operational. Furthermore, HIDS cannot authenticate users of a valid
account. For example, if users share password information, HIDS cannot
ascertain the identity of an unauthorized user gaining access to a system
via a legitimate account login.
Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow hpidsagent incoming connections
pass in quick proto tcp from any to any port = hpidsagent flags S keep state
keep frags
IPFilter.block_netrange
Headline
Default
Description
Actions
IPFilter.block_ping
Headline
Default
Description
Actions
IPFilter.block_SecureShell
Headline
Default
Description
Actions
is the best way to do it. You should only block Secure Shell access if you have
an alternate, secure method to manage your machine (such as physical access
to the console or a secure terminal server) or if you do not use Secure Shell.
Otherwise, answer no to this question.
Enable incoming network traffic for this service by adding the following lines
to the /etc/opt/ipf/ipf.conf file when actively managed by HP-UX
Bastille:
# do allow SecureShell incoming connections
pass in quick proto tcp from any to any port = 22 flags S keep state
keep frags
IPFilter.block_wbem
Headline
Default
Description
Actions
IPFilter.block_webadmin
Headline
Default
Description
Actions
connections
any to any port = 1188
incoming connections
any to any port = 1110
IPFilter.configure_ipfilter
Headline
Default
Description
48
Question modules
Block anything you are not asked about explicitly, including all incoming
traffic. If this is the first time you are using HP-UX Bastille to configure your
firewall, you will be asked about several service specific options if the
applicable software appears to be installed. If you have already configured a
firewall using HP-UX Bastille, you will only be asked about protocols which
are currently allowed by the HP-UX Bastille configuration.
IMPORTANT: Manual action required to complete this configuration. See
the TODO.txt file for details.
Actions
IPFilter.install_ipfilter
Headline
Default
Description
Actions
MiscellaneousDaemons.configure_ssh
Headline
Default
Description
Actions
MiscellaneousDaemons.diagnostics_localonly
Headline
Default
50
Question modules
Description
Actions
The HP-UX diagnostics daemon can listen on a network port. The diagnostics
GUI can be run remotely for administrators and support personnel to find
and fix hardware problems. Later versions of this daemon have the option to
only listen to local UNIX domain sockets. This way, the GUI can still be run
locally to diagnose hardware problems, but it does not allow a network attacker
to take advantage of any vulnerabilities that might be found in the future.
Stop the diagnostics daemon.
Create the /var/stm/config/sys/local_only file.
Start the daemon.
MiscellaneousDaemons.disable_bind
Headline
Default
Description
Actions
MiscellaneousDaemons.disable_ptydaemon
Headline
Default
Description
Actions
MiscellaneousDaemons.disable_pwgrd
Headline
Default
Description
Actions
Disable pwgrd.
N
The pwgrd utility is the Password and Group Hashing and Caching daemon.
The pwgrd utility provides accelerated lookup of password and group
information for libc routines such as getpwuid and getgrname. However,
on systems with normal sized (less than 50 entries) password files, pwgrd
slows lookups due to UNIX domain sockets overhead. The security benefit of
turning this service off is also based on the principle of minimalism. This
daemon runs as root and accepts input from non-privileged users.
If running, stop process pwgrd.
Set PWGR=0 in /etc/rc.config.d/pwgr.
MiscellaneousDaemons.disable_rbootd
Headline
Default
Description
Deactivate rbootd.
Y
The rbootd daemon is used for the RMP protocol, which is a predecessor to
the "bootp" protocol which serves DHCP. Unless you are using this machine
to serve dynamic IP addresses to very old HP-UX systems (prior to 10.0, or
older than s712), you have no reason to run this.
51
Downloaded from www.Manualslib.com manuals search engine
Actions
MiscellaneousDaemons.disable_smbclient
Headline
Default
Description
Actions
MiscellaneousDaemons.disable_smbserver
Headline
Default
Description
Actions
MiscellaneousDaemons.nfs_core
Headline
Default
Description
Actions
MiscellaneousDaemons.nobody_secure_rpc
Headline
Default
Description
Actions
MiscellaneousDaemons.snmpd
Headline
Default
52
Disable SNMPD.
N
Question modules
Description
Actions
MiscellaneousDaemons.syslog_localonly
Headline
Default
Description
Actions
MiscellaneousDaemons.xaccess
Headline
Default
Description
Actions
other_boot_serv
Headline
Default
Description
Patches.spc_cron_run
Headline
Default
Description
Actions
Patches.spc_cron_time
Headline
Default
Description
Actions
Patches.spc_proxy_yn
Headline
Default
Description
Actions
Patches.spc_run
Headline
Default
Description
54
Run SWA/SPC.
Y
Patching, updating, and configuring software to address known security
vulnerabilities is important for securing a system. SWA and SPC are tools
Question modules
which analyze the software installed on the system. HP-UX Bastille runs SWA
version C.01.01 or later. Otherwise, SPC is used to create a security-compliance
report. The security compliance report lists:
Installed patches that have warnings (recalls) issued by HP.
Security patches announced by HP that will fix installed software but
have not been applied.
Currently installed patches not properly configured.
Software that needs to be removed or updated to comply with a bulletin.
Manual actions necessary to bring the server to bulletin compliance.
SWA and SPC can work through a proxy-type firewall to download current
catalogs from HP with security and patch-warning information. Bulletin
compliance requires vigilance. New vulnerabilities are found and fixed on a
regular basis. HP recommends running one of these tools frequently, such as
in a nightly cron job.(A separate question will cover this). HP recommends
that you subscribe to the HP Security Bulletin mailing list.
NOTE: SPC uses clear-text protocols FTP or HTTP if a link can not be
established with https. The output of this tool is appended to the HP-UX
Bastille generated TODO.txt file so that you can apply the necessary patches.
IMPORTANT: Manual action required to complete this configuration. See
TODO.txt file for details.
Actions
Printing.printing
Headline
Default
Description
Actions
Disable printing.
N
If this machine does not print, stop the print scheduler and disable the
associated print daemon utilities. On Linux, this includes the restriction of the
daemon file permissions. On HP-UX, this includes the disablement of the
xprintserver and pd client services where applicable.
If running, stop processes lpsched pdclientd.
Set XPRINTSERVERS= in /etc/rc.config.d/tps.
Set LP=0 in /etc/rc.config.d/lp.
Set PD_CLIENT=0 in /etc/rc.config.d/pd.
SecureInetd.banners
Headline
Default
Description
Actions
SecureInetd.deactivate_bootp
Headline
Ensure that the inetd bootp service does not run on this system.
55
Default
Description
Actions
Y
The bootpd daemon implements three functions; a DHCP server, an Internet
Boot Protocol (BOOTP) server, and a DHCP/BOOTP relay agent. If this system
is not a BOOTP/DHCP server or a DHCP/BOOTP relay agent, HP recommends
disabling this service.
Comment out the entry for bootp in the /etc/inetd.conf file.
SecureInetd.deactivate_builtin
Headline
Default
Description
Ensure that the inetd built-in services do not run on this system.
N
The inetd built-in services include chargen, daytime, discard, and echo.
These services are rarely used and when they are it is generally for testing.
The UDP versions of these services can be used in a Denial of Service attack
and therefore HP recommends disabling these services.
The daytime service sends the current date and time as a human-readable
character string (RFC 867). The discard service throws away anything that
is sent to it, similar to /dev/null (RFC 863). The chargen service character
generator sends a stream of some undefined data, preferably data in some
recognizable pattern (RFC 862). The echo service returns the packets sent to
it (RFC 862).
Actions
Comment out the entries for daytime, echo, discard, and chargen in the
/etc/inetd.conf file.
SecureInetd.deactivate_dttools
Headline
Default
Description
Actions
Ensure the inetd CDE helper services do not run on this system.
N
The dtspcd, ttdbserver, and cmsd services are used by CDE. Each service
has merits, but they are all rarely used and mostly deprecated.
In the /etc/inetd.conf file, comment out the entries for:
dtspc stream tcp nowait root /usr/dt/bin/dtspcd
/usr/dt/bin/dtspcd
rpc xti tcp swait root /usr/dt/bin/rpc.ttdbserver
100083 1 /usr/dt/bin/rpc.ttdbserver
srpc dgram udp wait root /ur/dt/bin/rpc.cmsd 100068
2-5 rpc.cmsd
SecureInetd.deactivate_finger
Headline
Default
Description
Actions
Ensure the inetd finger service does not run on this system.
Y
The server for the RFC 742 Name/Finger protocol is fingerd. It provides a
network interface to finger, which gives a status report of users currently
logged in the system or a detailed report about a specific user. For more
information about the finger command, see finger(1). HP recommends disabling
the service because fingerd provides local system user information to remote
sources and this can be useful to someone attempting to break into your system.
In the /etc/inetd.conf file, comment out the entry for finger.
SecureInetd.deactivate_ftp
Headline
Default
56
Ensure that the inetd FTP service does not run on this system.
N
Question modules
Description
Actions
SecureInetd.deactivate_ident
Headline
Default
Description
Actions
Ensure that the inetd ident service does not run on this system.
N
The ident service implements the TCP/IP proposed standard IDENT user
identification protocol as specified in the RFC 1413 document. The identd
service operates by looking up specific TCP/IP connections and returning the
user name of the process owning the connection. This service can be used to
determine user information on a given machine in preparation for a brute-force
password attack like a dictionary attack. HP recommends disabling this service
unless compelled by application specific needs.
In the /etc/inetd.conf file, comment out the entry for auth or ident.
SecureInetd.deactivate_ktools
Headline
Default
Description
Actions
Ensure that the inetd klogin and kshell services do not run on this
system.
N
The kshell and klogin services use Kerberos authentication protocols. If
this machine is not using the Kerberos scheme, HP recommends disabling
these services. Any service or daemon running on the system that is not needed
or used should be disabled.
In the /etc/inetd.conf file, comment out the entry for kshell and
klogin.
SecureInetd.deactivate_ntalk
Headline
Default
Description
Actions
Ensure that the inetd ntalk service does not run on this system.
N
The ntalk service is a visual communication program that predates instant
messaging applications and copies lines from your terminal to another user's
terminal. The ntalk service is considered a light security hazard, but should
be disabled if not used on this machine.
In the /etc/inetd.conf file, comment out the entry for ntalk.
SecureInetd.deactivate_printer
Headline
Default
Description
Actions
Ensure the inetd printer service does not run on this system.
N
The printer service is a line printer daemon that accepts remote spool
requests. It uses the rlp daemon to process remote print requests and displays
the queue and removes jobs from the queue upon request. If this machine is
not used as a remote print spooler, this service should be disabled.
In the /etc/inetd.conf file, comment out the entry for printer.
57
Downloaded from www.Manualslib.com manuals search engine
SecureInetd.deactivate_recserv
Headline
Default
Description
Actions
Ensure the inetd recserv service does not run on this system.
N
HP SharedX Receiver Service receives shared windows from another machine
in X without explicitly performing any xhost command. This service is
required for MPower remote windows. If you use MPower, leave this service
running on your system. The SharedX Receiver Service is an automated
wrapper around the xhost command. For more information about the xhost
command, see xhost(1). This service should be disabled unless shared windows
are viewed often on this machine. The xhost command is generally the more
secure solution because it makes all sharing of windows explicit.
In the /etc/inetd.conf file, comment out the entry for recserv.
SecureInetd.deactivate_rquotad
Headline
Default
Description
Actions
Ensure the inetd rquotad service does not run on this system.
Y
The rquotad server is an RPC server that returns quotas for a user of a local
file system mounted remotely through NFS. This service should be disabled
if not using quotas with NFS.
In the /etc/inetd.conf file, comment out the entry for rpc.rquotad.
SecureInetd.deactivate_rtools
Headline
Default
Description
Actions
Ensure that the login, shell, and exec services do not run on this system.
N
The login, shell, and exec services use the r-tools: rlogind, remshd, and
rexecd respectively, which use IP-based authentication. This form of
authentication can be easily defeated with forging packets that suggest the
connecting machine is a trusted host when in fact it may be an arbitrary
machine on the network. Administrators in the past have found these services
useful, but many are unaware of the security ramifications of leaving these
services enabled.
In the /etc/inetd.conf file, comment out the entries for login, shell,
and exec.
SecureInetd.deactivate_swat
Headline
Default
Description
Actions
Ensure the inetd swat service does not run on this system.
N
The swat service allows a Samba administrator to configure Samba through
a web browser. The swat service allows administrators to view, change, and
affect the change through the web. The drawback from a security standpoint
comes from the authentication method used for the Samba administrator.
Clear-text passwords are passed through the network if a connection is initiated
from an outside source. This form of authentication is easily defeated and HP
recommends not running the swat service on this machine.
In the /etc/inetd.conf file, comment out the entry for swat.
SecureInetd.deactivate_telnet
Headline
Default
Description
58
Ensure that the telnet service does not run on this system.
N
Telnet is not secure. Telnet is shipped on most operating systems for backward
compatibility. Do not use it in an untrusted network. Telnet is a clear-text
Question modules
Deactivating the telnetd service will not affect your Telnet client.
SecureInetd.deactivate_tftp
Headline
Default
Description
Actions
Ensure the inetd TFTP service does not run on this system.
Y
The Trivial File Transfer Protocol (TFTP) is often used to download operating
system images and configuration data to diskless hosts. TFTP is a UDP-based
file-transfer program that provides little security. If this machine is not a boot
server for diskless host/appliances or an Ignite-UX server, TFTP should be
disabled.
In the /etc/inetd.conf file, comment out the entry for tftp.
SecureInetd.deactivate_time
Headline
Default
Description
Actions
Ensure the inetd time service does not run on this system.
N
The time service built into inetd produces machine-readable time in seconds
since midnight on 1 January 1900 (RFC 868). It is used for clock
synchronization, but it lacks the ability to be configured securely. HP
recommends disabling the time service for this machine. Use the Network
Time Protocol to synchronize clocks because XNTP can be configured securely.
For more information on XNTP, xntpd(1).
In the /etc/inetd.conf file, comment out the entry for time.
SecureInetd.deactivate_uucp
Headline
Default
Description
Actions
Ensure the inetd uucp service does not run on this system.
Y
UNIX to UNIX Copy (UUCP) copies files named by the source_files
argument to the destination identified by the destination_file argument.
UUCP uses clear-text transport for authentication. It is not commonly used.
HP recommends disabling this service and using a more secure file transfer
program such as scp.
In the /etc/inetd.conf file, comment out the entry for uucp.
SecureInetd.ftp_logging
Headline
Default
59
Downloaded from www.Manualslib.com manuals search engine
Description
Actions
SecureInetd.inetd_general
Headline
Default
Description
Actions
SecureInetd.log_inetd
Headline
Default
Description
Actions
SecureInetd.owner
Headline
Default
Description
Actions
Sendmail.sendmailcron
Headline
Default
Description
60
Question modules
NOTE: While processing the mail queue, sendmail does not accept inbound
connections.
NOTE:
Actions
Sendmail.sendmaildaemon
Headline
Default
Description
Actions
Sendmail.vrfyexpn
Headline
Default
Description
Actions
61
Downloaded from www.Manualslib.com manuals search engine
62
Downloaded from www.Manualslib.com manuals search engine
63
MiscellaneousDaemons.disable_bind=1
MiscellaneousDaemons.disable_ptydaemon=1
MiscellaneousDaemons.disable_pwgrd=1
MiscellaneousDaemons.disable_rbootd=1
MiscellaneousDaemons.disable_smbclient=1
MiscellaneousDaemons.disable_smbserver=1
MiscellaneousDaemons.nfs_client=1
MiscellaneousDaemons.nfs_core=1
MiscellaneousDaemons.nfs_server=1
MiscellaneousDaemons.nis_client=1
MiscellaneousDaemons.nis_server=1
MiscellaneousDaemons.nisplus_client=1
MiscellaneousDaemons.nisplus_server=1
MiscellaneousDaemons.nobody_secure_rpc=1
MiscellaneousDaemons.other_boot_serv=1
MiscellaneousDaemons.snmpd=1
MiscellaneousDaemons.syslog_localonly=1
MiscellaneousDaemons.xaccess=1
Patches.spc_cron_run=1
Patches.spc_run=1
Printing.printing=1
SecureInetd.banners=1
SecureInetd.deactivate_bootp=1
SecureInetd.deactivate_builtin=1
SecureInetd.deactivate_dttools=1
SecureInetd.deactivate_finger=1
SecureInetd.deactivate_ftp=1
SecureInetd.deactivate_ident=1
SecureInetd.deactivate_ktools=1
SecureInetd.deactivate_ntalk=1
SecureInetd.deactivate_printer=1
SecureInetd.deactivate_recserv=1
SecureInetd.deactivate_rquotad=1
SecureInetd.deactivate_rtools=1
SecureInetd.deactivate_swat=1
SecureInetd.deactivate_telnet=1
SecureInetd.deactivate_tftp=1
SecureInetd.deactivate_time=1
SecureInetd.deactivate_uucp=1
SecureInetd.ftp_logging=1
SecureInetd.log_inetd=1
SecureInetd.owner=1
Sendmail.sendmailcron=1
Sendmail.sendmaildaemon=1
Sendmail.vrfyexpn=1
D.2 CIS.weight
The sample weight file below aligns with the CIS standard.
AccountSecurity.AUTH_MAXTRIES=1
AccountSecurity.MIN_PASSWORD_LENGTH=1
AccountSecurity.PASSWORD_HISTORY_DEPTH=1
AccountSecurity.PASSWORD_MAXDAYS=1
AccountSecurity.PASSWORD_MINDAYS=1
AccountSecurity.PASSWORD_WARNDAYS=1
AccountSecurity.atuser=1
AccountSecurity.block_system_accounts=1
AccountSecurity.create_securetty=1
AccountSecurity.crontabs_file=1
AccountSecurity.cronuser=1
AccountSecurity.gui_login=1
AccountSecurity.hidepasswords=1
AccountSecurity.lock_account_nopasswd=1
AccountSecurity.mesgn=1
64
AccountSecurity.restrict_home=1
AccountSecurity.root_path=1
AccountSecurity.serial_port_login=1
AccountSecurity.system_auditing=1
AccountSecurity.umask=1
AccountSecurity.unowned_files=1
AccountSecurity.user_dot_files=1
AccountSecurity.user_rc_files=1
Apache.deactivate_hpws_apache=1
FTP.ftpbanner=1
FTP.ftpusers=1
HP_UX.gui_banner=1
HP_UX.ndd=1
HP_UX.screensaver_timeout=1
HP_UX.stack_execute=1
HP_UX.tcp_isn=1
MiscellaneousDaemons.configure_ssh=1
MiscellaneousDaemons.disable_bind=1
MiscellaneousDaemons.disable_ptydaemon=1
MiscellaneousDaemons.disable_rbootd=1
MiscellaneousDaemons.disable_smbclient=1
MiscellaneousDaemons.disable_smbserver=1
MiscellaneousDaemons.nfs_client=1
MiscellaneousDaemons.nfs_core=1
MiscellaneousDaemons.nfs_server=1
MiscellaneousDaemons.nis_client=1
MiscellaneousDaemons.nis_server=1
MiscellaneousDaemons.nisplus_client=1
MiscellaneousDaemons.nisplus_server=1
MiscellaneousDaemons.nobody_secure_rpc=1
MiscellaneousDaemons.other_boot_serv=1
MiscellaneousDaemons.snmpd=1
MiscellaneousDaemons.syslog_localonly=1
MiscellaneousDaemons.xaccess=1
Printing.printing=1
SecureInetd.banners=1
SecureInetd.deactivate_bootp=1
SecureInetd.deactivate_builtin=1
SecureInetd.deactivate_dttools=1
SecureInetd.deactivate_finger=1
SecureInetd.deactivate_ftp=1
SecureInetd.deactivate_ident=1
SecureInetd.deactivate_ktools=1
SecureInetd.deactivate_ntalk=1
SecureInetd.deactivate_printer=1
SecureInetd.deactivate_recserv=1
SecureInetd.deactivate_rquotad=1
SecureInetd.deactivate_rtools=1
SecureInetd.deactivate_telnet=1
SecureInetd.deactivate_tftp=1
SecureInetd.deactivate_time=1
SecureInetd.deactivate_uucp=1
SecureInetd.log_inetd=1
SecureInetd.owner=1
Sendmail.sendmailcron=1
Sendmail.sendmaildaemon=1
D.2 CIS.weight
Downloaded from www.Manualslib.com manuals search engine
65
66
Downloaded from www.Manualslib.com manuals search engine
1.1.1
Not Scorable
1.1.2
MiscellaneousDaemons.configure_ssh
1.1.3
Not Scorable
1.2
1.2.1
SecureInetd.deactivate_builtin
SecureInetd.deactivate_finger
SecureInetd.deactivate_ident
SecureInetd.deactivate_ntalk
SecureInetd.deactivate_recserv
SecureInetd.deactivate_time
SecureInetd.deactivate_uucp
SecureInetd.deactivate_telnet
SecureInetd.deactivate_ftp
SecureInetd.deactivate_rtools
SecureInetd.deactivate_tftp
SecureInetd.deactivate_printer
SecureInetd.deactivate_rquotad
SecureInetd.deactivate_dttools
SecureInetd.deactivate_ktools
SecureInetd.deactivate_bootp
1.2.2
Not Applicable
1.2.3
Not Applicable
1.2.4
Not Applicable
1.2.5
Not Applicable
1.2.6
Not Applicable
1.2.7
Not Applicable
1.2.8
Not Applicable
1.2.9
Not Applicable
1.2.10
Not Applicable
1.3
1.3.1
AccountSecurity.serial_port_login
1.3.2
MiscellaneousDaemons.nis_client
MiscellaneousDaemons.nis_server
MiscellaneousDaemons.nisplus_server
MiscellaneousDaemons.nisplus_client
1.3.3
Printing.printing
1.3.4
AccountSecurity.gui_login
1.3.5
Sendmail.sendmaildaemon
Sendmail.sendmailcron
1.3.6
MiscellaneousDaemons.snmpd
67
Downloaded from www.Manualslib.com manuals search engine
CIS
1.3.7
MiscellaneousDaemons.disable_rbootd
MiscellaneousDaemons.nfs_server
MiscellaneousDaemons.nfs_client
MiscellaneousDaemons.disable_ptydaemon
Apache.deactivate_hpws_apache
MiscellaneousDaemons.snmpd
MiscellaneousDaemons.nfs_core
MiscellaneousDaemons.other_boot_serv
MiscellaneousDaemons.disable_smbclient
MiscellaneousDaemons.disable_smbserver
MiscellaneousDaemons.disable_bind
1.3.8
Not Applicable
1.3.9
Not Applicable
1.3.10
Not Applicable
1.3.11
Not Applicable
1.3.12
Not Applicable
1.3.13
Not Applicable
1.3.14
Not Applicable
1.4
1.4.1
HP_UX.stack_execute
1.4.2
HP_UX.ndd
1.4.3
HP_UX.tcp_isn
1.4.4
HP_UX.ndd
1.5
File/Directory Permissions/Access
1.5.1
Not Scorable
1.5.2
Not Scorable
1.5.3
AccountSecurity.unowned_files
1.6
1.6.1
AccountSecurity.hidepasswords
1.6.2
FTP.ftpusers
1.6.3
1.6.4
MiscellaneousDaemons.xaccess
1.6.5
HP_UX.screensaver_timeout
1.6.6
Not Scorable
1.6.7
AccountSecurity.cronuser
AccountSecurity.atuser
1.6.8
AccountSecurity.crontabs_file
1.6.9
AccountSecurity.create_securetty
1.6.10
AccountSecurity.AUTH_MAXTRIES
1.6.11
MiscellaneousDaemons.nobody_secure_rpc
1.7
68
Kernel Tuning
Logging
CIS
1.7.1
AccountSecurity.system_auditing
1.7.2
SecureInetd.log_inetd
1.7.3
SecureInetd.ftp_logging
1.8
1.8.1
1.8.2
Verify that there are no accounts with empty password fields AccountSecurity.lock_account_nopasswd
1.8.3
AccountSecurity.PASSWORD_MAXDAYS
AccountSecurity.PASSWORD_MINDAYS
AccountSecurity.PASSWORD_WARNDAYS
1.8.4
AccountSecurity.PASSWORD_HISTORY_DEPTH
AccountSecurity.MIN_PASSWORD_LENGTH
1.8.5
MiscellaneousDaemons.nis_client
1.8.6
AccountSecurity.root_path
1.8.7
AccountSecurity.restrict_home
1.8.8
AccountSecurity.user_dot_files
1.8.9
AccountSecurity.user_rc_files
1.8.10
AccountSecurity.umask
1.8.11
AccountSecurity.mesgn
1.9
AccountSecurity.block_system_accounts
Warning Banners
1.9.1
SecureInetd.banners
1.9.2
HP_UX.gui_banner
1.9.3
FTP.ftpbanner
69
Downloaded from www.Manualslib.com manuals search engine
70
Downloaded from www.Manualslib.com manuals search engine
Index
A
assessing, 11
weight files
samples, 63
workarounds, 21
C
compatibility, 8
configuration
batch mode, 13
creating, 11
replicating, 11
Serviceguard, 31
D
drift, 17
F
features, 7
file locations, 17
I
installation requirements, 9
installing, 9
ITS, 27
K
known issues, 21
P
performance, 8
Q
question modules, 33
R
related information, 23
removing, 19
reporting, 13
reverting, 16
S
scored assessment report, 14
security
dependencies, 30
levels, 27, 30
support, 8, 23
T
tips
diagnostic, 21
general use, 21
issues and workarounds, 21
troubleshooting, 21
U
using, 11
71
Downloaded from www.Manualslib.com manuals search engine